HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35312Published Modified CNA oracle

CVE-2026-35312: Vulnerability in the Oracle Virtual Directory product of Oracle Fusion Middleware (component: Virtual Directory Server)

Vulnerability in the Oracle Virtual Directory product of Oracle Fusion Middleware (component: Virtual Directory Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Virtual Directory. Successful attacks of this vulnerability can result in takeover of Oracle Virtual Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated remote compromise vulnerability exists in Oracle Virtual Directory (component: Virtual Directory Server), affecting versions 12.2.1.4.0 and 14.1.2.0.0 of Oracle Fusion Middleware. An attacker with network access can exploit this flaw over LDAP without any credentials or user interaction. Successful exploitation results in full takeover of the Oracle Virtual Directory service, giving the attacker read, write, and denial-of-service capability over the directory. No fix versions have been published by Oracle; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle Virtual Directory components. Any image in a connected registry or CI/CD pipeline running an affected version (12.2.1.4.0 or 14.1.2.0.0) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.8 (Critical) and weights it against each environment's compliance policy to determine breach of policy thresholds and priority routing. Findings are directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version exists, HarborGuard re-checks the Oracle advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Oracle publishes a corrected release. In the interim, compensating controls are surfaced in the finding detail, including network-policy isolation of LDAP (port 389/636) ingress and egress filtering at the workload level.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Virtual Directory service over the network via LDAP; there is no requirement for local or physical access.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerability is exploitable by a completely unauthenticated attacker.

  • Victim interactionNot required

    The attack is fully server-side and requires no action from any user or administrator on the target system.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup to succeed.

Blast Radius

  • Reads all directory data stored in Oracle Virtual Directory, including user credentials, group memberships, and any LDAP-backed application data.
  • Modifies or deletes directory entries, enabling privilege escalation in downstream systems that trust the directory for authentication and authorization.
  • Crashes or fully disrupts the Virtual Directory Server process, denying LDAP-dependent applications and users access to directory services.
  • Full service takeover allows the attacker to pivot the compromised directory server as a foothold into adjacent identity-dependent infrastructure.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical severity and surfaced immediately in the findings queue for any environment running an image that includes Oracle Virtual Directory 12.2.1.4.0 or 14.1.2.0.0. Because Oracle has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-checks the Oracle advisory on every ingest cycle; for customers with auto-remediation enabled, a rebuilt image and PR against affected workloads will be generated automatically the moment Oracle ships a corrected version. While no patch exists, the finding detail includes compensating-control guidance: restrict LDAP ingress (TCP 389 and 636) to the narrowest possible set of source CIDRs via Kubernetes NetworkPolicy or equivalent, apply egress filtering to prevent lateral movement from a compromised instance, and evaluate whether the Virtual Directory Server component can be disabled or isolated behind an internal-only network segment until a vendor patch is available.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Virtual Directory
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References